QRT commit 97a96290cd862f2fcf6c4737ddfcfeefe3bfd0d0 was used for
testing.
After `sudo ./install-packages test-apparmor.py`, I manually installed
the -proposed versions of the other apparmor packages.
$ apt list --installed '*apparmor*'
apparmor-profiles/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 all [installed]
apparmor-utils/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 all [installed]
apparmor/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 amd64 [installed,automatic]
libapparmor-dev/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 amd64 [installed]
libapparmor1/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 amd64 [installed,autom>
libpam-apparmor/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 amd64 [installed]
python3-apparmor/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 all [installed,aut>
python3-libapparmor/plucky-proposed,now 4.1.0~beta5-0ubuntu14.1 amd64 [installe>
$ apt policy apparmor-profiles
apparmor-profiles:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy apparmor-utils
apparmor-utils:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy libapparmor-dev
libapparmor-dev:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy libapparmor1
libapparmor1:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy libpam-apparmor
libpam-apparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy python3-apparmor
python3-apparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy python3-libapparmor
python3-libapparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
Abbreviated QRT test results from `sudo test-apparmor.py -v`
Ran 62 tests in 1583.322s
Ok (skipped=3)
Running `apt-get source apparmor` downloaded 4.1.0~beta5-0ubuntu14.1,
with regression-verify-documented-mount-flag-behavior.patch applied.
After building and running the regression test suite with USE_SYSTEM=1,
`mount` was listed as one of the tests that passed
Test plan verification successful
** Tags removed: verification-needed verification-needed-plucky
** Tags added: verification-done verification-done-plucky
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2110688
Title:
apparmor parser incorrectly treats norelatime mount flag as a no-op
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Plucky:
Fix Committed
Status in apparmor source package in Questing:
Fix Released
Bug description:
[ Impact ]
The parser did not handle the norelatime mount flag correctly,
essentially treating its addition to a list of mount flags as a no-op.
A test should also be included to ensure that the behavior is fixed
and not broken again.
[ Test Plan ]
This bug is caught by an addition to AppArmor's regression test suite,
which is also invoked via its QRT test suite via
`ApparmorTestsuites.test_regression_testsuite`.
* To prepare the QRT test suite (can be done on any machine):
- `git clone https://git.launchpad.net/qa-regression-testing`
- `./scripts/make-test-tarball ./scripts/test-apparmor.py`
* To run the QRT test suite:
- Copy the tarball onto the machine with the new AppArmor installed and
extract it
- `sudo ./install-packages test-apparmor.py`
- Reboot the machine
- `sudo ./test-apparmor.py -v`
Unfortunately, the regression testsuite itself has no way of printing
the full list of tests it successfully executed. Below are
instructions for running the regression test suite by hand, including
the modified mount test:
* `apt install dpkg-dev pkg-config libapparmor-dev`
* `apt-get source apparmor`
* Verify that the downloaded version is 4.1.0~beta5-0ubuntu14.1 or greater
* Verify that patch
debian/patches/ubuntu/regression-verify-documented-mount-flag-behavior.patch
was applied upon download
* cd [source]/tests/regression/apparmor
* Ensure that all the parent directories of the regression test folder are
world-readable and world-executable, and 'chmod o+rx' any that are not
* USE_SYSTEM=1 make -j[num]
* If running the whole regression testsuite, the `make` command might print
out warnings about skipped tests due to missing packages. Install any packages
that it says are missing
* If running the whole regression testsuite, 'sudo USE_SYSTEM=1 make tests'
* If running just the mount tests, 'sudo USE_SYSTEM=1 bash mount.sh' and
manually 'echo $?' afterwards to check that it exited with a status of 0
[ Where problems could occur ]
This parser fix changes the behavior of mount rules that explicitly
specify the norelatime flag. In particular, a custom profile
containing `mount options in (norelatime)` will have different, more
permissive behavior than before (reducing regression risk as compared
to tightening behavior). However, this flag is not used in any of the
commonly used profiles (including the ones in our repo and the profile
fragments used by snapd), so this will not change the behavior of
existing packaged profiles being used.
[ Other Info ]
This bug was originally reported at
https://gitlab.com/apparmor/apparmor/-/merge_requests/1679.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110688/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
